Amir, >I support the adoption of "draft-sriram-opsec-urpf-improvements" as an >OPSEC Working Group document.
Thank you. > >Let me mention that I think the WG should also consider potential use of >RPKI as a complementary mechanism to improve uRPF. Namely, if there is an >ROA for the prefix-origin pair, it should be allowed (even if the >(enhanced/preferred)uRPF check fails. In a future (fantasy?) where RPKI is I agree with you here. When you say, "if there is an ROA for the prefix-origin pair, it should be allowed", I think you mean ROA for prefix-origin pair with origin AS in the ISP's customer cone. What you propose can be done even in partial deployment of RPKI, of course not stand alone but for augmenting the RPF lists constructed with the methods proposed in the draft. It helps to add completeness and/or perform additional sanity checks for the RPF filters. Of course, the benefit of doing this (as a complementary mechanism) gets increasing better as the RPKI deployment grows. Sriram >widely deployed, this solution may have even been better. I'm aware that >this is, unfortuately, far cry from current situation, hence I definitely >support moving forward with this draft. My comment can be discussed as part >of this or separately (or not at all). > >thanks, Amir > > _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
